Included release tonarino/innernet@v1.5.5 in focal.

debian/dists/focal/InRelease

@@ -1,36 +1,36 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
+Hash: SHA512
 
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: focal
-Date: Fri, 12 May 2023 14:56:39 UTC
+Date: Fri, 12 May 2023 15:02:26 UTC
 Architectures: amd64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
- d41d8cd98f00b204e9800998ecf8427e 0 contrib/binary-amd64/Packages
+ 6bf1b3c90c55987fe5db62ce0d1cdcde 11445 contrib/binary-amd64/Packages
- 7029066c27ac6f5ef18d660d5741979a 20 contrib/binary-amd64/Packages.gz
+ 6966cf89f9e920bed8c0f97a98cb82d8 4573 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
 SHA1:
- da39a3ee5e6b4b0d3255bfef95601890afd80709 0 contrib/binary-amd64/Packages
+ 694753a371a89eb925ed0b3eb4603d3abda3db90 11445 contrib/binary-amd64/Packages
- 46c6643f07aa7f6bfe7118de926b86defc5087c4 20 contrib/binary-amd64/Packages.gz
+ 564affc01127f6a585f6d803b2b48bed9973f3d7 4573 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
 SHA256:
- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 contrib/binary-amd64/Packages
+ 02dd85afec2418cc0663a82aed38b50e1573d01d394e4b6f193dbc5c9424e73e 11445 contrib/binary-amd64/Packages
- 59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2 20 contrib/binary-amd64/Packages.gz
+ 85879182f346281d39769a9e2882aa70e5d39934584b5d7d914e12dd3e2fae79 4573 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAEBCAAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmReU6cACgkQZYKNdDzu
+iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmReVQQACgkQZYKNdDzu
-i2ncbAv+MSmVzQHbG3YPEVCRMCdZZOeHos5GvzO7VGhoabPsxFtPbthYW/waSPok
+i2kzzwv+OBm41WDgMKDRinGpKGG2nh4Tf5l/6hMbyK44WPT/E7x8AeZT7myCvdtb
-a19jRcXWhhTiRL0+uuA6hyY/kXNk0wbKsfZ4jwtWx/YLJB/TcFLUmNGognGUtJfc
+rPn1VQ5+oQ7dGJreivXJNDULpKupp0y9IR4JibIhd24ujLKp9W+YcZHYWSXs5USd
-o63AI6Aa4w14ST5UJ/yiTnj0aAy6u0fSyJGQ2C7L7OqvPp4KZfGYrksT2vYpgibI
+0el8W2jeIfGeoOQcAU/93siCVrcrhVp7PqVtV9sPkmihifLIojw/oSUHEzf4zEDX
-IRfZG/9638KDBR0kPQUw5I2nADbpTADZNmo/MXCLHzkCADUn1Ehkx2F4pFgwXpi7
+7VHrScFUNDhumbilpBahRkFKC02B3qAE+uyDLlnZ1ht90dCRp5oG4G6PyWDTc9qE
-Rjin5ZjEsxR2X+koi7qVzlLwXI0Uk6lazvFo18v0LJRZHW51VNeghHTs1OzQaNac
+xthDJH5Qgrvf0v7THlM480AjqOIY+ZUS91T9x+lEth3BL4ezmAX3+ezfC10X/QUS
-ZyWIgUNkwJA/4O6Ren6Egl0/uaZW9Sxmag1cI98RR5oDkiB0CoFnUpKHSr50gBQt
+o7VKGs2K1SKnI5WMmLqswMv9c5cL5KUZf0sVmvgAO7uuFU2LRzunceo2DKXZajdh
-hdV1VoJilQ8ClmY811TZz5IL0BGJZpmf3YQqleC91WAIYV+mY1IGWMgXR5zTByPF
+kKp4FigdI7kte8ytlgg22dTtRMSRDspp2SCFQc8ULw6DgglylJlMIeLDNWynJmwR
-oW8hfaP1CfSXh21vMTBLZzh1tHBf3f9RJcJjw24ruTYLWOinSq83ID4lhJi7Vq8a
+yeSU+8TUnLsDzROfGnRqJRie4+j58oX1eAX+1I4c10/bvRMNGzngraUCpQPEXzHL
-sseMD9Jr
+pP/75354
-=Llk0
+=a5ns
 -----END PGP SIGNATURE-----

debian/dists/focal/Release

@@ -1,19 +1,19 @@
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: focal
-Date: Fri, 12 May 2023 14:56:39 UTC
+Date: Fri, 12 May 2023 15:02:26 UTC
 Architectures: amd64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
- d41d8cd98f00b204e9800998ecf8427e 0 contrib/binary-amd64/Packages
+ 6bf1b3c90c55987fe5db62ce0d1cdcde 11445 contrib/binary-amd64/Packages
- 7029066c27ac6f5ef18d660d5741979a 20 contrib/binary-amd64/Packages.gz
+ 6966cf89f9e920bed8c0f97a98cb82d8 4573 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
 SHA1:
- da39a3ee5e6b4b0d3255bfef95601890afd80709 0 contrib/binary-amd64/Packages
+ 694753a371a89eb925ed0b3eb4603d3abda3db90 11445 contrib/binary-amd64/Packages
- 46c6643f07aa7f6bfe7118de926b86defc5087c4 20 contrib/binary-amd64/Packages.gz
+ 564affc01127f6a585f6d803b2b48bed9973f3d7 4573 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
 SHA256:
- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 contrib/binary-amd64/Packages
+ 02dd85afec2418cc0663a82aed38b50e1573d01d394e4b6f193dbc5c9424e73e 11445 contrib/binary-amd64/Packages
- 59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2 20 contrib/binary-amd64/Packages.gz
+ 85879182f346281d39769a9e2882aa70e5d39934584b5d7d914e12dd3e2fae79 4573 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release

debian/dists/focal/Release.gpg

@@ -1,14 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAABCAAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmReU6cACgkQZYKNdDzu
+iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmReVQIACgkQZYKNdDzu
-i2n6dgv/U7FIQ7kThavV/Y/atjkdyVOvM11tQo7NgDVwTwfajdqVldc6YgobPIHd
+i2l2wQv/btI/pzHQRuQBNk3Lf74S1QHCsdA3COsq4H5njgWNEw5nSipAkliJPc/f
-u1Wp8mH192kYhMUqPD5as0QuvBSLn6EJRMiBBSi4lYaRgvUUJBBp4eBHI5bPUMkj
+933n2gQ/d8gVcQ2gmFk9SXNaJWYD3VlkzYtWiprzICujKBHtG25CJA4snILfNBKx
-r7owCVW+fzVs13TxtqS9+Scjkn3cJ3V6jJWJ9IoI9Lyx05mE9HUGWhysnDGfGr2L
+3E74LZZgWZ3MvbMUwypLDsuIhJ7it6Gv6Oj7rAi6ndNXY+tAZiEGFvtzpyOP0Y5E
-LmWFF4dIcyH3Gk5a9POBOjVf6SEGKjtcL7vq/JnNSVcsOYis0sy3Mg+drO7FXoOm
+lp/LpQsWLQOz9dpM4+iC5q8V10eYOGnyYMro2KvmPqVBjWtWCUkLaVsVODmBepD5
-V/OERe0dwYM4hSfPzo/W5awFT2/Xp3Du3Ta+M4O+g0wxPbcRTrF5gAdoF7Hujv80
+gYeATX9888wlsIge3Auq/5c4r2GKZqWOADiGvwDRfB2R7QMgMZflL6YGW8ZrBG60
-DDScp8L29Q8imnh6OMLco2Ir0hyXkGU4XOVF0gDzILVtGGuilfQoDvYqURba8rKw
+tkpTgbch5EppVQbMFPZjIHvE4hBBql1FkrJHlRwzObmqMvOZGWY/ypgilomoB4ll
-CVByQtr4i5R183T25OL19X+cK3pDG850a+4fWfs/MgUUcR5PjcjGTq85/rIPVCRk
+njNlIFHeASB1a4QDS51nqQ7z2NuOTPBsJzmw1ch3q0oTlmae1mmXbI133EXJk2SZ
-4WCtBCYfU9l/v5Hu8JSxI88yhaMqxPhzOX4bF20u2gruxOniH0f65GrjeSSraYgC
+QFeWpAtJyUG11VScA5oXDMxg+lvfEzUXsAu2V+2v2Pn5X0+59a6En+x8TTNEFp1G
-O0BAD9lt
+QZDBydGz
-=Pc+a
+=xbl6
 -----END PGP SIGNATURE-----

debian/dists/focal/contrib/binary-amd64/Packages

@@ -0,0 +1,369 @@
+Package: innernet
+Version: 1.5.5-0ubuntu0~focal
+Architecture: amd64
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 5759
+Depends: libc6, libgcc1, systemd
+Recommends: wireguard
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet/innernet_1.5.5-0ubuntu0~focal_amd64.deb
+Size: 939640
+SHA256: c615d99731d6f399b783f6239370546b1065817fd7f070038315c111d3cec838
+SHA1: 2cbd17453ceda778f88e1841a51e7c0ce810638f
+MD5sum: 6fb3ff388df704868faf85bcfd5cc010
+Description: A client to manage innernet network interfaces.
+ innernet client binary for fetching peer information and conducting admin tasks
+ such as adding a new peer.
+
+Package: innernet-server
+Version: 1.5.5-0ubuntu0~focal
+Architecture: amd64
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 3929
+Depends: systemd, libsqlite3-0, libc6, zlib1g, libgcc1
+Recommends: wireguard
+Source: innernet
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet-server/innernet-server_1.5.5-0ubuntu0~focal_amd64.deb
+Size: 1418744
+SHA256: 2dba733dd4f6ce35ca7785992f318131aa9e9d6e9cb7d4693fa81ab7c98dd78b
+SHA1: 9bbc84244d0dd6f4dc46bfb4c4883e02e52cba69
+MD5sum: 6891156125ffe8218fc85a4af683ed03
+Description: A server to coordinate innernet networks.
+ # innernet
+ .
+ A private network system that uses [WireGuard](https://wireguard.com) under the
+ hood. See the [announcement blog
+ post](https://blog.tonari.no/introducing-innernet) for a longer-winded
+ explanation.
+ .
+ <img
+ src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
+ width="600" height="370">
+ .
+ `innernet` is similar in its goals to Slack's
+ [nebula](https://github.com/slackhq/nebula) or
+ [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
+ It aims to take advantage of existing networking concepts like CIDRs and the
+ security properties of WireGuard to turn your computer's basic IP networking
+ into more powerful ACL primitives.
+ .
+ `innernet` is not an official WireGuard project, and WireGuard is a registered
+ trademark of Jason A. Donenfeld.
+ .
+ This has not received an independent security audit, and should be considered
+ experimental software at this early point in its lifetime.
+ .
+ ## Usage
+ .
+ ### Server Creation
+ .
+ Every `innernet` network needs a coordination server to manage peers and
+ provide endpoint information so peers can directly connect to each other.
+ Create a new one with
+ .
+ ```sh
+ sudo innernet-server new
+ ```
+ .
+ The init wizard will ask you questions about your network and give you some
+ reasonable defaults. It's good to familiarize yourself with [network
+ CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
+ of innernet's access control is based upon them. As an example, let's say the
+ root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
+ special "infra" CIDR which contains the `innernet` server itself and is
+ reachable from all CIDRs on the network.
+ .
+ Next we'll also create a `humans` CIDR where we can start adding some peers.
+ .
+ ```sh
+ sudo innernet-server add-cidr <interface>
+ ```
+ .
+ For the parent CIDR, you can simply choose your network's root CIDR. The name
+ will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
+ unless you only want to support 256 humans, but it works for now...).
+ .
+ By default, peers which exist in this new CIDR will only be able to contact
+ peers in the same CIDR, and the special "infra" CIDR which was created when the
+ server was initialized.
+ .
+ A typical workflow for creating a new network is to create an admin peer from
+ the `innernet-server` CLI, and then continue using that admin peer via the
+ `innernet` client CLI to add any further peers or network CIDRs.
+ .
+ ```sh
+ sudo innernet-server add-peer <interface>
+ ```
+ .
+ Select the `humans` CIDR, and the CLI will automatically suggest the next
+ available IP address. Any name is fine, just answer "yes" when asked if you
+ would like to make the peer an admin. The process of adding a peer results in
+ an invitation file. This file contains just enough information for the new peer
+ to contact the `innernet` server and redeem its invitation. It should be
+ transferred securely to the new peer, and it can only be used once to
+ initialize the peer.
+ .
+ You can run the server with `innernet-server serve <interface>`, or if you're
+ on Linux and want to run it via `systemctl`, run `systemctl enable --now
+ innernet-server@<interface>`. If you're on a home network, don't forget to
+ configure port forwarding to the `Listen Port` you specified when creating the
+ `innernet` server.
+ .
+ ### Peer Initialization
+ .
+ Let's assume the invitation file generated in the steps above have been
+ transferred to the machine a network admin will be using.
+ .
+ You can initialize the client with
+ .
+ ```sh
+ sudo innernet install /path/to/invitation.toml
+ ```
+ .
+ You can customize the network name if you want to, or leave it at the default.
+ `innernet` will then connect to the `innernet` server via WireGuard, generate a
+ new key pair, and register that pair with the server. The private key in the
+ invitation file can no longer be used.
+ .
+ If everything was successful, the new peer is on the network. You can run
+ things like
+ .
+ ```sh
+ sudo innernet list
+ ```
+ .
+ or
+ .
+ ```sh
+ sudo innernet list --tree
+ ```
+ .
+ to view the current network and all CIDRs visible to this peer.
+ .
+ Since we created an admin peer, we can also add new peers and CIDRs from this
+ peer via `innernet` instead of having to always run commands on the server.
+ .
+ ### Adding Associations between CIDRs
+ .
+ In order for peers from one CIDR to be able to contact peers in another CIDR,
+ those two CIDRs must be "associated" with each other.
+ .
+ With the admin peer we created above, let's add a new CIDR for some theoretical
+ CI servers we have.
+ .
+ ```sh
+ sudo innernet add-cidr <interface>
+ ```
+ .
+ The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
+ it can be anything.
+ .
+ For now, we want peers in the `humans` CIDR to be able to access peers in the
+ `ci-servers` CIDR.
+ .
+ ```sh
+ sudo innernet add-association <interface>
+ ```
+ .
+ The CLI will ask you to select the two CIDRs you want to associate. That's all
+ it takes to allow peers in two different CIDRs to communicate!
+ .
+ You can verify the association with
+ .
+ ```sh
+ sudo innernet list-associations <interface>
+ ```
+ .
+ and associations can be deleted with
+ .
+ ```sh
+ sudo innernet delete-associations <interface>
+ ```
+ .
+ ### Enabling/Disabling Peers
+ .
+ For security reasons, IP addresses cannot be re-used by new peers, and
+ therefore peers cannot be deleted. However, they can be disabled. Disabled
+ peers will not show up in the list of peers when fetching the config for an
+ interface.
+ .
+ Disable a peer with
+ .
+ ```su
+ sudo innernet disable-peer <interface>
+ ```
+ .
+ Or re-enable a peer with
+ .
+ ```su
+ sudo innernet enable-peer <interface>
+ ```
+ .
+ ### Specifying a Manual Endpoint
+ .
+ The `innernet` server will try to use the internet endpoint it sees from a peer
+ so other peers can connect to that peer as well. This doesn't always work and
+ you may want to set an endpoint explicitly. To set an endpoint, use
+ .
+ ```sh
+ sudo innernet override-endpoint <interface>
+ ```
+ .
+ You can go back to automatic endpoint discovery with
+ .
+ ```sh
+ sudo innernet override-endpoint -u <interface>
+ ```
+ .
+ ### Setting the Local WireGuard Listen Port
+ .
+ If you want to change the port which WireGuard listens on, use
+ .
+ ```sh
+ sudo innernet set-listen-port <interface>
+ ```
+ .
+ or unset the port and use a randomized port with
+ .
+ ```sh
+ sudo innernet set-listen-port -u <interface>
+ ```
+ .
+ ### Remove Network
+ .
+ To permanently uninstall a created network, use
+ .
+ ```sh
+ sudo innernet-server uninstall <interface>
+ ```
+ .
+ Use with care!
+ .
+ ## Security recommendations
+ .
+ If you're running a service on innernet, there are some important security
+ considerations.
+ .
+ ### Enable strict Reverse Path Filtering ([RFC
+ 3704](https://tools.ietf.org/html/rfc3704))
+ .
+ Strict RPF prevents packets from _other_ interfaces from having internal source
+ IP addresses. This is _not_ the default on Linux, even though it is the right
+ choice for 99.99% of situations. You can enable it by adding the following to a
+ `/etc/sysctl.d/60-network-security.conf`:
+ .
+ ```
+ net.ipv4.conf.all.rp_filter=1
+ net.ipv4.conf.default.rp_filter=1
+ ```
+ .
+ ### Bind to the WireGuard device
+ .
+ If possible, to _ensure_ that packets are only ever transmitted over the
+ WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
+ or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
+ though, this is less of a concern.
+ .
+ ### IP addresses alone often aren't enough authentication
+ .
+ Even following all the above precautions, rogue applications on a peer's
+ machines could be able to make requests on their behalf unless you add extra
+ layers of authentication to mitigate this CSRF-type vector.
+ .
+ It's recommended that you carefully consider this possibility before deciding
+ that the source IP is sufficient for your authentication needs on a service.
+ .
+ ## Installation
+ .
+ innernet has only officially been tested on Linux and MacOS, but we hope to
+ support as many platforms as is feasible!
+ .
+ ### Runtime Dependencies
+ .
+ It's assumed that WireGuard is installed on your system, either via the kernel
+ module in Linux 5.6 and later, or via the
+ [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
+ implementation.
+ .
+ [WireGuard Installation Instructions](https://www.wireguard.com/install/)
+ .
+ ### Arch Linux
+ .
+ ```sh
+ pacman -S innernet
+ ```
+ .
+ ### Ubuntu
+ .
+ Fetch the appropriate `.deb` packages from
+ https://github.com/tonarino/innernet/releases and install with
+ .
+ ```sh
+ sudo apt install ./innernet*.deb
+ ```
+ .
+ ### macOS
+ .
+ ```sh
+ brew install tonarino/innernet/innernet
+ ```
+ .
+ ### Cargo
+ .
+ ```sh
+ # to install innernet:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 client
+ .
+ # to install innernet-server:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 server
+ ```
+ .
+ Note that you'll be responsible for updating manually.
+ .
+ ## Development
+ .
+ ### `innernet-server` Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ - `libsqlite3`
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet-server
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet-server`
+ .
+ ### `innernet` Client CLI Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet`
+ .
+ ### Releases
+ .
+ 1. Run `cargo release [--dry-run] [minor|major|patch|...]` to automatically
+ bump the crates appropriately.
+ 2. Create a new git tag (ex. `v0.6.0`).
+ 3. Push (with tags) to the repo.
+ .
+ innernet uses GitHub Actions to automatically produce a debian package for the
+ [releases page](https://github.com/tonarino/innernet/releases).
+